-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:07                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Kerberos 5 su command uses getlogin for authorization

Category:       krb5, ports
Module:         crypto/heimdal/appl/su, heimdal
Announced:      2002-01-18
Credits:        Aaron <lumpy@musicvision.com>
Affects:        FreeBSD 4.4-RELEASE
                FreeBSD 4.4-STABLE prior to the correction date
                Ports collection prior to the correction date
Corrected:      2002-01-15 21:52:48 UTC (RELENG_4)
                2002-01-17 15:45:05 UTC (RELENG_4_4)
                2001-10-31 19:58:05 UTC (heimdal port)
FreeBSD only:   NO

0.   Revision History

v1.0  2002-01-18  Initial release
v1.1  2002-09-09  Corrected date of heimdal port correction

I.   Background

The getlogin and setlogin system calls are used to manage the user
name associated with a login session.

k5su is a Kerberos 5-enabled su program.  Like su, it allows
authorized users to `switch user' in order to obtain additional
privileges.

II.  Problem Description

The setlogin system call, the use of which is restricted to the
superuser, is used to associate a user name with a login session.  The
getlogin system call is used to retrieve that user name.  The setlogin
system call is typically used by applications such as login and sshd.

The k5su command included with FreeBSD, versions prior to 4.5-RELEASE,
and the su command included in the heimdal port, versions prior to
heimdal-0.4e_2, use the getlogin system call in order to determine
whether the currently logged-in user is `root'.  In some
circumstances, it is possible for a non-privileged process to have
`root' as the login name returned by getlogin.

The `k5su' command may be installed as part of FreeBSD when Kerberos 5
support is requested, or it may be installed from the FreeBSD Ports
Collection (ports/security/heimdal), in which case it is installed
simply as `su'.

The Heimdal port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

In some circumstances, process that have been started by root but have
given up superuser privileges may be able to invoke `k5su' to regain
superuser privileges.

IV.  Workaround

Commands to be executed as root are signified by lines starting with
the `#' character.

[Kerberos 5 in the base system]

Remove the set-user-ID bit from the `k5su' executable by running the
following command as root:

# chmod u-s /usr/bin/k5su

[Heimdal port]

Remove the set-user-ID bit from the `su' executable by running the
following command as root:

# chmod u-s /usr/local/bin/su

V.   Solution

[Kerberos 5 in the base system]

NOTE: If the file /usr/bin/k5su does not exist on your system,
Kerberos 5 is not installed and you do not need to take any action.

Do one of the following:

1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security
branch, dated after the respective correction dates.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4-RELEASE
and 4.4-STABLE dated prior to the correction date.  It may or may not
apply to older, unsupported versions of FreeBSD.

Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/k5su.patch
# cd /usr/src/kerberos5/lib
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install
# cd /usr/src/kerberos5/usr.bin/k5su
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install

[Heimdal port]

Do one of the following:

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

3) Download a new port skeleton for the heimdal port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

[Kerberos 5 in the base system]

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
src/crypto/heimdal/appl/su/su.c
  HEAD                                                            1.1.1.4
  RELENG_4                                                    1.1.1.1.2.2
  RELENG_4_4                                              1.1.1.1.2.1.4.1
  RELENG_4_3                                              1.1.1.1.2.1.2.1
- -------------------------------------------------------------------------

[Heimdal port]

Path                                                             Revision
- -------------------------------------------------------------------------
ports/security/heimdal/Makefile                                      1.46
ports/security/heimdal/patch-appl::su::su.c                           1.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPXzS0lUuHi5z0oilAQEpXQP9G3KRTXz9IBC+S+VwKwIx6lqZ0omDL8Ec
8AqhmzGyTxGikBdWL3qSZH3Ab51R9QCAd8JnN08HqrAqduzIzzG7zrmWn7r643zO
CZQH/w/1n9bwvt4nSqG8h3xwwEKKxtSKJC1/gJSPEafvVyXumOPlrcpdDktwUBHE
UaE0lGT+43U=
=v8Mv
-----END PGP SIGNATURE-----
